Proximity Based Device Security

ABSTRACT

Devices, systems and methods are disclosed for additional security, functionality, and convenience in the operation of a wireless communication device with the use of a separate proximity security token in communication with the wireless communication device. In exemplary embodiments, the token is carried by the user while device logic is installed on the user&#39;s wireless communication device. The device logic along with transceivers allows the device to sense proximity of the token through wireless communication. Given a certain range of the proximity security token, as determined by the wireless signal strength, the device logic determines whether the device is in a locked or unlocked state. If the proximity security token is outside the range, then the device is locked. The proximity security token uses ultra-low power communications for optimal battery life.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of and claims priority to U.S. patentapplication Ser. No. 12/818,988, filed Jun. 18, 2010, entitled“Proximity Based Device Security,” now allowed, which is incorporatedherein by reference in its entirety.

BACKGROUND

1. Technical Field

The present disclosure relates to device security. More specifically,the present disclosure relates to using a proximity security token toprovide proximity-based device security.

2. Background

Communications devices, such as cellular telephones, have become acommon tool of everyday life. Cellular telephones are no longer simplyused to place telephone calls. With the number of features availablerapidly increasing, cellular telephones, often in the form of asmartphone, are now used for storing addresses, keeping a calendar,reading e-mails, drafting documents, etc. With this wide range offeatures comes an even greater need for security. For instance, e-mailsor documents may be private or privileged and need to be safe fromunauthorized users. An unauthorized user picking up or stealing thesmartphone should not be able to access this private information.

As more enterprises turn towards smartphones, the ability to lock phonesis a necessity. Currently, smartphones may be password protected throughthe keypad. However, users of smartphones find password locks onsmartphones annoying and inconvenient. The user sets up a passwordconsisting of a series of keystrokes which must be re-entered to lateraccess the cellular phone. These passwords can generally be any numberof characters which the user will remember. Ideally, the password ischallenging enough that an unauthorized user cannot simply guess thepassword and gain access. A problem with using simply a keypad forpassword entry is the ability of others to determine the passwordwithout the user's knowledge. Someone may be able to see the user enterthe password and easily be able to repeat it. Additionally, thesepasswords are inconvenient, as users must look directly at the keypadand press a sequence of buttons. The keys are often small with hard toread numbers or letters and lockouts may require frequent use of thepasswords. Thus, users often choose to disable such features. More ofthese users may choose to utilize the security mechanisms if suchmechanisms were easier and more convenient. Such security becomes evenmore important as devices are used more frequently as a means for mobilepayments.

What is needed is a way to secure a device while keeping the deviceeasily accessible to an authorized user.

SUMMARY

The present invention addresses the above-identified issues by providinga separate proximity security token in communication with a wirelesscommunication device. In exemplary embodiments, the token is carried bythe user while device logic is installed on the user's wirelesscommunication device. The device logic along with transceivers allowsthe wireless communication device to sense proximity of the tokenthrough wireless communication. Given a certain range of the proximitysecurity token, as determined by the wireless signal strength, thedevice logic locks or unlocks the wireless communication device. Inembodiments of the invention, if the proximity security token is too faraway, then the wireless communication device is locked and can only beaccessed via a backup method of entering a password or other directinput form such as voice authentication. Embodiments of the proximitysecurity token solution make use of ultra-low power communications sothat the proximity security token does not need to be continuouslyrecharged, but instead is powered by a coin cell battery.

The proximity security token also provides an enhanced two factorauthentication function for controlling other services on the wirelesscommunication device or web based services via the wirelesscommunication device. Exemplary embodiments of the present inventioninclude an input, such as a biometric scanner, within the proximitysecurity token. The input provides for further authentication based uponthe identity of the user or an entry.

In one exemplary embodiment, the present invention is a wirelesscommunication device for allowing use when in range of a proximitysecurity token. The device includes a processor, a memory incommunication with the processor, a transceiver in communication withthe processor, and a device logic on the memory. The device logicdetects the presence of the proximity security token, receives a keyfrom the proximity security token, allows use of the device, andmonitors the presence of the proximity security token while the deviceis in use. The device logic prevents use of the device upon detecting anabsence of the proximity security token.

In another exemplary embodiment, the present invention is a proximitysecurity token for allowing use of a wireless communication device whenin range of the wireless communication device. The proximity securitytoken includes a processor, a memory in communication with theprocessor, a transceiver in communication with the processor, a secureinput in communication with the processor, a battery in communicationwith the processor, and a token logic on the memory. The token logicdetects the presence of the wireless communication device, receives akey from a user via the secure input, transmits the key to the wirelesscommunication device, and monitors the presence of the wirelesscommunication device while the wireless communication device is in use.The token logic prevents use of the wireless communication device upondetecting an absence of the wireless communication device.

In yet another exemplary embodiment, the present invention is a methodfor allowing use of a wireless communication device when in range of aproximity security token. The method includes detecting the presence ofthe proximity security token, receiving a secure input from theproximity security token, allowing use of the device, and monitoring thepresence of the proximity security token while the device is in use. Useof the device is prevented upon detecting an absence of the proximitysecurity token.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A and 1B show a wireless communication device for use with aproximity security token, according to an exemplary embodiment of thepresent invention.

FIGS. 2A and 2B show a proximity security token, or fob, according to anexemplary embodiment of the present invention.

FIG. 3 shows a method of the present invention utilizing a passwordbackup for the presence of a proximity security token, according to anexemplary embodiment of the present invention.

FIG. 4 shows the separation of a wireless communication device from aproximity security token, according to an exemplary embodiment of thepresent invention.

FIG. 5 shows a wireless communication device being left in anautomobile, according to an exemplary embodiment of the presentinvention.

FIG. 6 shows a method of the present invention utilizing a proximitysecurity token for unlocking an application on a wireless communicationdevice, according to an exemplary embodiment of the present invention.

FIG. 7 shows a screenshot of a user setup of a security application foruse with a proximity security token, according to an exemplaryembodiment of the present invention.

FIG. 8A shows a method of the present invention utilizing a proximitysecurity token for unlocking a device and application, according to anexemplary embodiment of the present invention.

FIG. 8B shows a method of the present invention utilizing a proximitysecurity token for unlocking a device and application, according to anexemplary embodiment of the present invention.

FIGS. 9A and 9B show proximity security tokens with an embedded input,according to embodiments of the present invention.

FIG. 10 shows a proximity security token further being used to unlock anautomobile, according to an exemplary embodiment of the presentinvention.

FIG. 11 shows a method of utilizing a biometric sensor on a proximitysecurity token, according to an exemplary embodiment of the presentinvention.

FIG. 12 shows a proximity security token used to authenticate atransaction, according to an exemplary embodiment of the presentinvention.

DETAILED DESCRIPTION

The following detailed description discloses devices, systems, andmethods for additional security, functionality, and convenience in theoperation of a wireless communication device with the use of a separateproximity security token in communication with the wirelesscommunication device. In exemplary embodiments, the token is carried bythe user while device logic is installed on the user's wirelesscommunication device. The device logic, along with transceivers, allowsthe wireless communication device to sense proximity of the tokenthrough wireless communication. Given a certain range of the proximitysecurity token, as determined by the wireless signal strength, thedevice logic locks or unlocks the wireless communication device. Inembodiments of the invention, if the proximity security token is too faraway, then the wireless communication device is locked and can only beaccessed via a backup method of entering a password or other directinput form such as voice authentication. Embodiments of the proximitysecurity token solution make use of ultra-low power communications sothat the proximity security token does not need to be continuouslyrecharged, but instead is powered by a long life coin cell battery.

The proximity security token also provides enhanced two factorauthentication function for controlling other services on the wirelesscommunication device or web based services via the wirelesscommunication device. Exemplary embodiments of the present inventioncontain an input, such as a biometric scanner, within the proximitysecurity token. The input provides for further authentication based uponthe identity of the user or an entry.

In further exemplary embodiments, the proximity security token operatesin one of two possible states of “active and unlocked” and “inactive andlocked”. The biometric function on the proximity security token isutilized to authenticate the user to the proximity security token andthus put the proximity security token in an “active and unlocked” state.In the “active and unlocked” state, the proximity security token is ableto communicate an approved unlock code to the wireless communicationdevice via proximity communications. The “active and unlocked” tokenstate may be based on a countdown timer sequence based upon user definedsettings in logic on the wireless communication device logic. Once thetimer expires, the proximity security token changes to an “inactive andlocked” state that triggers a locked state being communicated to thewireless communication device. The user may put the proximity securitytoken back into an “active and unlocked” state by performing anauthentication activity directly on the proximity security token. Thisfeature provides the user with safeguards against the wirelesscommunication device remaining in an unlocked and user interfaceaccessible state if the user loses control of both the proximitysecurity token and the wireless device to, for instance, an attacker.

In further exemplary embodiments, the user is alerted of the separationof the wireless communication device and the proximity security tokenvia an audible tone from the device and/or the proximity security tokenwhen the proximity security token and device are separated beyond acertain distance for a period of time defined by program logic. If theuser leaves one or the other behind, then this makes the user aware thatthe wireless communication device or proximity security token is missingfrom their direct control. In exemplary embodiments of the invention,other security functions may be triggered so that data on the wirelesscommunication device is properly secured when the proximity securitytoken and wireless communication device become separated for an extendedperiod of time. These security functions may include, but are notlimited to, memory wipes, etc.

In exemplary embodiments of the invention, the proximity security tokenmay be used by an assigned user to unlock building electronic accesscontrol systems, for unlocking and starting automobiles, etc. Theseembodiments may use the concept of unlocking the proximity securitytoken with either a PIN code or biometric signature such as afingerprint as a form of secondary authentication requirement so thatthe proximity security token is unlocked and able to approve theproximity based unlock of the system. In alternative forms these othersystems being accessed may or may not require the secondary form ofauthentication in order to process a user requested function such asdoor entry or automobile ignition.

“Wireless communication device”, as used herein and throughout thisdisclosure, refers to any electronic device capable of wirelesslysending and receiving data. A wireless communication device may have aprocessor, a memory, a transceiver, an input, and an output. Examples ofsuch devices include cellular telephones, personal digital assistants(PDAs), portable computers, etc. A wireless communication device alsoincludes smart cards, such as contactless integrated circuit cards(CICC). The memory stores applications, software, or logic. Examples ofprocessors are computer processors (processing units), microprocessors,digital signal processors, controllers and microcontrollers, etc.Examples of device memories that may comprise logic include RAM (randomaccess memory), flash memories, ROMS (read-only memories), EPROMS(erasable programmable read-only memories), and EEPROMS (electricallyerasable programmable read-only memories).

“Logic” as used herein and throughout this disclosure, refers to anyinformation having the form of instruction signals and/or data that maybe applied to direct the operation of a processor. Logic may be formedfrom signals stored in a device memory. Software is one example of suchlogic. Logic may also be comprised by digital and/or analog hardwarecircuits, for example, hardware circuits comprising logical AND, OR,XOR, NAND, NOR, and other logical operations. Logic may be formed fromcombinations of software and hardware. On a network, logic may beprogrammed on a server, or a complex of servers. A particular logic unitis not limited to a single logical location on the network.

Wireless communication devices may communicate with each other and withother elements via a network, for instance, a wireless network, or awireline network. A “network” can include broadband wide-area networks,local-area networks, and personal area networks. Communication across anetwork is preferably packet-based; however, radio andfrequency/amplitude modulations networks can enable communicationbetween communication devices using appropriate analog-digital-analogconverters and other elements. Examples of radio networks include WiFiand BLUETOOTH networks, with communication being enabled by hardwareelements called “transceivers.” Wireless communication devices may havemore than one transceiver, capable of communicating over differentnetworks. For example, a cellular telephone can include a GPRStransceiver for communicating with a cellular base station, a WiFitransceiver for communicating with a WiFi network, and a BLUETOOTHtransceiver for communicating with a BLUETOOTH device. A networktypically includes a plurality of elements that host logic forperforming tasks on the network.

In modern packet-based wide-area networks, servers may be placed atseveral logical points on the network. Servers may further be incommunication with databases and can enable communication devices toaccess the contents of a database. A settings server is an example ofsuch a server. A settings server can include several network elements,including other servers, and is part of a network, for example, acellular network. A settings server hosts or is in communication with adatabase hosting an account for a user of a wireless communicationdevice. The “user account” includes several attributes for a particularuser, including a unique identifier of the wireless communicationdevice(s) owned by the user, relationships with other users, driversettings, and other information.

For the following description, it can be assumed that mostcorrespondingly labeled structures across the figures (e.g., 132 and232, etc.) possess the same characteristics and are subject to the samestructure and function. If there is a difference between correspondinglylabeled elements that is not pointed out, and this difference results ina non-corresponding structure or function of an element for a particularembodiment, then that conflicting description given for that particularembodiment shall govern.

FIGS. 1A and 1B show a wireless communication device 100 for use with aproximity security token, according to an exemplary embodiment of thepresent invention. In this embodiment, wireless communication device 100is a smartphone. Wireless communication device 100, using an onboardsecurity application, exchanges signals with a proximity security tokento determine whether the proximity security token is in proximity ofwireless communication device 100. The signals include a uniqueidentifier, such as a digital key. The unique identifier is unique tothe proximity security token and is present to ensure that only theauthorized proximity security token registers with wirelesscommunication device 100. In exemplary embodiments of the presentinvention, with the proximity security token in close proximity,wireless communication device 100 is in an unlocked state, such that itmay be operated by a user. Proximity is a distance that may be defaultor set by a user of wireless communication device 100.

FIG. 1A shows the external components of wireless communication device100. Wireless communication device 100 includes a display 101, a keypad103, a microphone 105, and an antenna 107. Display 101 may be a liquidcrystal display (LCD), a light emitting diode display (LED), atouchscreen display, etc. and provides an output for applications storedon memory and executed by CPU. Keypad 103 provides for an input fordevice. Keypad 103 may contain alphanumeric keys as well as hotkeys,etc. Microphone 105 provides a further input for device. Microphone 105may be used for voice calls, commands, recording, etc. Antenna 107provides a means for sending and receiving signals from transceiver 119to other devices, such as the proximity security token, or networks,such as cellular networks.

FIG. 1B shows the internal components of wireless communication device100. The internal components include a central processing unit (CPU)111, a memory 113 storing a device logic 114, a speaker 115, a battery117 or other power supply, and a transceiver 119. CPU 111 controls thecomponents of wireless communication device 100 by executing devicelogic 114 from memory 113. Memory 113 stores device logic 114 as well asother data for wireless communication device 100. Device logic 114includes a security application for wireless communication device 100.In exemplary embodiments of the present invention, the securityapplication provides for proximity-based security for wirelesscommunication device 100. The security application operates transceiver119 to send and receive signals to and from the proximity securitytoken, measures the strength of the received signals, and determineswhether the proximity security token is within an established proximity.If the proximity security token is within the established proximity ofwireless communication device 100, then the security application allowsaccess to wireless communication device 100 and/or applications onmemory 113 of wireless communication device 100. If the proximitysecurity token is not within the proximity, then the securityapplication locks wireless communication device 100 and/or applicationson wireless communication device 100. In addition to locking the device,the speaker may emit an audible alert.

The security application on logic 114 can lock wireless communicationdevice 100 entirely, lock certain applications, or lock specificfeatures of wireless communication device 100. For instance, when theproximity security token is out of range, logic 114 can lock a cellulartransceiver on wireless communication device 100, thereby renderingwireless communication device 100 unable to connect to a cellularnetwork. Alternatively, logic 114 can lock keypad 103 or touchscreen101, thereby rendering wireless communication device 100 unusable.Specific folders or files, or sensitive data stored on memory 113 can belocked as well. Other combinations will be apparent to one of ordinaryskill in the art in light of this disclosure.

FIGS. 2A and 2B show a proximity security token 220, or key fob,according to an exemplary embodiment of the present invention. Proximitysecurity token 220 is a small hardware device with built-inauthentication mechanisms. Proximity security token 220, when used inconjunction with a wireless communication device, allows access to thewireless communication device while proximity security token 220 is inproximity of the wireless communication device. In FIG. 2A, proximitysecurity token 220 is shown in the form of a key fob. In this way,proximity security token 220 is attached to keys 230 such that it islikely kept with a user.

FIG. 2B shows the internal components of proximity security token 220.Proximity security token 220 contains a central processing unit (CPU)221, a memory 223 containing a token logic 224, a battery 229 or otherpower supply, a transceiver 225, a speaker 222, and an antenna 227. CPU221 controls the functions of proximity security token 220 according tologic 224 on memory 223. Memory 223 may be Random Access Memory (RAM),Read Only Memory (ROM), or any other means of physically storing logic224. Battery 229 provides power to each of the components of proximitysecurity token 220. In this exemplary embodiment, battery 229 is a coincell battery, such as a watch battery. Transceiver 225 communicates withthe wireless communication device, such as communicating with asmartphone. The communication occurs through antenna 227, which may becoiled around an outer perimeter of proximity security token 220. Thiscommunication may occur using any wireless technology, such asBLUETOOTH, BLUETOOTH LOW ENERGY (BLE), Near Field Communication (NFC), aproximity/contactless smart card, passive keyless entry, WiFi, cellularcommunication, etc. The communication is used to detect a distancebetween the wireless communication device and proximity security token220, and transmit data between proximity security token 220 and thewireless communication device. The data includes a unique identifieridentifying proximity security token 220. Speaker 222 provides an outputfor proximity security token 220. In this exemplary embodiment, speaker222 emits an audible sound when proximity security token 220 isseparated from the wireless communication device outside of the setproximity. The inner components of proximity security token 220 may beembedded within an outer cover of proximity security token 220,laminated between two external layers of proximity security token 220,or generally covered so as to maintain durability and weatherproofing ofproximity security token 220.

In exemplary embodiments of a proximity security token, the proximitysecurity token may include color diodes on the outer cover. The colordiodes alert a user as to the state of the proximity security token andmay further alert the user of available functions on a wirelesscommunication device. For instance, the proximity security token mayinclude red, yellow, and green diodes. The green diode may signify thatthe proximity security token is fully unlocked. The proximity securitytoken may become fully unlocked, for instance, upon entry of a biometricby the user. In a fully unlocked state, the user may have full access tofeatures and applications of the wireless communication device. The reddiode may signify that the proximity security token is locked. Theproximity security token may remain locked, for instance, when theproximity security token has not been activated and/or a user biometrichas not been entered. In a locked state, the user may not be able to useany of the features or applications of the wireless communicationdevice. The yellow diode may signify that the proximity security tokenis only partially unlocked. The proximity security token may bepartially unlocked, for instance, when the proximity security token hasbeen activated, but a user biometric has not been entered. In apartially unlocked state, the user may have access to certain featuresand applications of the wireless communication device, but not others.For instance, basic applications may be allowed while work applicationsremain locked. While three diodes are disclosed, embodiments of theinvention may include any number or color of diodes.

FIG. 3 shows a method of the present invention utilizing a passwordbackup for the presence of a proximity security token, according to anexemplary embodiment of the present invention. In this embodiment, thepresence of the proximity security token unlocks a wirelesscommunication device. The method begins when a user activates a wirelesscommunication device S331. Device logic on the wireless communicationdevice, along with a processor and transceiver on the wirelesscommunication device, determines whether a proximity security token iswithin a set proximity S332. This determination may be accomplished bymeasuring a signal strength of a signal from the proximity securitytoken. The range of the set proximity may vary based upon the type ofwireless communication device being used and the user's preference. Ifthe proximity security token is within the set proximity, then thewireless communication device is unlocked S335 and may be used. If theproximity security token is not present, or out of range of the setproximity, then the user is prompted to enter a password S333. Thedevice logic on the wireless communication device then determineswhether the entered password is correct S334. If the entered password isincorrect, then the wireless communication device remains locked S336.If the entered password is correct, then the wireless communicationdevice is unlocked S335 and becomes operable by the user.

In other exemplary embodiments, the password entry provides a secondlayer of security, being utilized in addition to the detected presenceof the proximity security token, rather than as a replacement torequiring the proximity security token. In another exemplary embodiment,a user picks up the user's smartphone and attempts to use thesmartphone. If the user has the proximity security token on theirkeychain in the user's pocket, or anywhere within a set proximity, thenthe smartphone unlocks, and the user may use the smartphone. If the userforgot the proximity security token at home, then the user is insteadprompted to enter a password to unlock the smartphone. If the userenters the correct password, then the smartphone is unlocked. If thepassword is not correct, then the smartphone remains locked until acorrect password is entered or the proximity security token becomespresent. In other exemplary embodiments, entering an incorrect passwordmultiple times may cause the smartphone to deny repeated passwordattempts and remain locked until the proximity security token ispresent. Alternatively, entering an incorrect password multiple timesindicates to the device logic that an unauthorized user is attempting to“crack” the password, causing the device logic to wipe the memory.Wiping includes simple formatting, redundant overwriting, physicaldestruction, etc. Such a feature may help to prevent the theft of highlysensitive data from the smartphone.

FIG. 4 shows the separation of a wireless communication device 400 froma proximity security token 420, according to an exemplary embodiment ofthe present invention. Proximity security token 420 is shown on akeychain with a key 430 such that it is likely to be carried with auser. In this exemplary embodiment, both wireless communication device400 and proximity security token 420 detect the proximity to each other.Proximity security token 420 and wireless communication device 400 sendout signals which are measured by the other. The strength of the signalis used to determine a distance between wireless communication device400 and proximity security token 420. Alternatively, rather thanmeasuring the signals, proximity security token 420 and wirelesscommunication device 400 may simply determine whether or not a signalsequence is received within a prescribed amount of time. The signals maybe transmitted at a strength that is only received when proximitysecurity token 420 and wireless communication device 400 are withinproximity. When wireless communication device 400 and proximity securitytoken 420 are separated by more than an established distance, they areno longer within the set proximity. At this point, both wirelesscommunication device 400 and proximity security token 420 emit anaudible tone, notifying the user that he or she is leaving the otherbehind. The set proximity may be set at a time of manufacturing, at atime of uploading a security application to wireless communicationdevice 400, by a user of wireless communication device 400, etc. Forexample, when both proximity security token 420 and wirelesscommunication device 400 are able to sense the proximity of each other,both will emit the audible tone when separated. Such a feature may beuseful, for example, when leaving a smartphone (or keys) in a taxi cab.

In other exemplary embodiments, only the wireless communication deviceis able to sense the proximity of the proximity security token. Becausethe proximity security token does not detect the distance of thewireless communication device, only the wireless communication deviceemits the audible tone. This feature is useful in a proximity securitytoken without a power supply, for instance an RFID proximity securitytoken, or one having an inductive coil antenna.

FIG. 5 shows a wireless communication device 500 being left in anautomobile 542, according to an exemplary embodiment of the presentinvention. When wireless communication device 500 and the proximitysecurity token are separated by a predetermined distance, wirelesscommunication device emits an audible tone. For instance, when the usergets out of automobile 542 with the proximity security token but withoutwireless communication device 500, wireless communication device 500 andthe proximity security token are separated. Wireless communicationdevice 500 detects the separation. Once the separation exceeds theestablished proximity, wireless communication device 500 emits anaudible tone. This notifies anyone remaining in automobile 542 thatwireless communication device 500 is being left behind.

In further embodiments of the present invention, when the wirelesscommunication device detects a separation from the proximity securitytoken, the wireless communication device sends a signal which isreceived by a transceiver of an automobile, causing the automobile toemit an audible tone such as a horn. Such an audible tone may be easierfor the user to hear from outside the automobile. This feature can comepreloaded on an automobile, or may be available as an aftermarketaddition.

FIG. 6 shows a method of the present invention utilizing a proximitysecurity token for unlocking an application on a wireless communicationdevice, according to an exemplary embodiment of the present invention.In this embodiment, a user activates the wireless communication deviceand attempts to access the application S650, for instance, by pressingan icon on a touchscreen display of the wireless communication device.Device logic on the wireless communication device determines whether aproximity security token is required to access the application S651. Ifthe proximity security token is not required, then the application isavailable for use by the user S652. If the proximity security token isrequired for the application, then the application remains inaccessibleuntil the device logic determines whether the proximity security tokenis present S654. This may be accomplished by detecting and/or measuringsignals from the proximity security token to the wireless communicationdevice. In addition to being present, the device logic may also requirethe proximity security token to be activated, such as by pressing abutton on the proximity security token, inputting a biometric to theproximity security token, etc. If the proximity security token isrequired, but not present, then the application remains locked S655. Ifthe proximity security token is present, then the application isunlocked for use by the user S652. The device logic constantly orperiodically monitors for the presence of the proximity security tokenwhile the application is unlocked S653. The device logic determineswhether the proximity security token is present S654. If the proximitysecurity token remains present, then the application remains unlockedS652. If the proximity security token is no longer in proximity to thewireless communication device, then the application is locked S655. Incertain embodiments of the present invention, when the application islocked S655, the wireless communication device starts an internal timerS656. The wireless communication device monitors for the presence of theproximity security token S653. The wireless communication devicedetermines whether the proximity security token has been absent from theproximity for more than a set period of time S657, such as thirtyminutes, as measured by the internal timer and either established by theuser or by pre-set logic. If the proximity security token is absent forthe set period of time, the memory of the wireless communication deviceis wiped S658. Such a feature may be set by the user for wirelesscommunication devices containing sensitive information. This may serveto prevent sensitive data from being stolen from the wirelesscommunication device.

In some embodiments of the present invention, a proximity security tokenmay be in a fixed location, such as an office building, such that abusiness application on a wireless communication device may only be usedin that location. It may be desirable to have access to a virtualprivate network limited to devices in the office building. Applicationssuch as a notepad may be used at any location. Thus, a notepadapplication on a laptop associated with the proximity security token canbe accessed by a user from home while the laptop is at home. However, ifthe user tries to access the business application, the businessapplication is locked because the proximity security token is notpresent at home. When at the office building with the laptop, theproximity security token is in proximity of the laptop and the user isallowed to access the business application. Logic on the laptopconstantly monitors whether the proximity security token is within a setproximity. Thus, if the user is accessing the business application whileleaving the building with the laptop, the business application lockswhen the user leaves the building, as it is no longer in proximity withthe proximity security token.

In other exemplary embodiments the entire memory need not be wiped, butonly a sensitive portion of the memory, as defined by a user of thewireless communication device, a user's employer, a service provider, oran author of the sensitive data.

FIG. 7 shows a screenshot of a user setup 760 of a security applicationfor use with a proximity security token, according to an exemplaryembodiment of the present invention. In this embodiment, user setup 760is shown on a display 701 of a wireless communication device 700. Usersetup 760 includes a status 761, a signal strength 763, a biometricrequirement 767, a memory purging option 765, an ‘OK’ button 769, and a‘Cancel’ button 768. Other settings will be evident to one skilled inthe art in light of this disclosure.

A user may use a keypad 703 on wireless communication device 700 toselect from options on user setup 760. Status 761 displays a currentstatus of wireless communication device 700 with respect to theproximity security token. For instance, status 761 shows that theproximity security token is in range and wireless communication device700 is currently unlocked. Signal strength 763 displays a current signalstrength between wireless communication device 700 and the proximitysecurity token. Using status 761, for a specific signal strength theuser may specify that at the current strength wireless communicationdevice 700 should be locked. Biometric requirement 767 allows the userto determine what, if any, biometric is required to unlock the deviceand/or an application, and for which applications. For instance, thescreenshot shows that email, client database, and bank software requirea biometric. Memory purging option 765 allows the user to set a time atwhich the memory of wireless communication is purged 765. This time isan amount of time wireless communication device 700 is out of proximitywith the proximity security token. ‘OK’ button 769 allows the user toaccept the current settings. ‘Cancel’ button 768 does not accept thecurrent settings but instead reverts to previous settings. Thesesettings may also be pre-set for the user at the time the securityapplication is loaded onto wireless communication device 700.

There are many ways to display the options associated with the proximitysecurity token. Of the options in FIG. 7, more detailed options can bespecified. The memory need not be wiped completely in every application.For some applications, only a portion of the memory may need purging.Applications requiring biometrics may need specific forms of biometricin order to be accessed. Different tokens may come with different formsof input. The options displayed will match the available input.

FIG. 8A shows a method of the present invention utilizing a proximitysecurity token for unlocking a device and application, according to anexemplary embodiment of the present invention. In this embodiment, theuser must first activate the proximity security token S870. This may beaccomplished by touching the proximity security token, pressing a buttonon the proximity security token, swiping a finger on an input of theproximity security token, etc. With the proximity security tokenactivated, the user manipulates a biometric sensor on the proximitysecurity token S871. This may be swiping the users fingerprint on thebiometric sensor, scanning the iris of the user with the biometricsensor, detecting the voice of the user, etc. The wireless communicationdevice then determines whether the biometric input matches a biometricfor an authorized user S872. Alternatively, logic on the proximitysecurity token determines whether the biometric input matches anauthorized user and sends a confirmation to the device. If the biometricinput does not match, then the wireless communication device is lockedand inoperable S875. If the biometric input matches an authorized user,then the wireless communication device is unlocked S873. With thewireless communication device unlocked, logic on the wirelesscommunication device determines whether the proximity security tokenremains in proximity to the wireless communication device S874. If theproximity security token is no longer in proximity to the wirelesscommunication device, then the wireless communication device is lockedand becomes inoperable S875. If the proximity security token remains inproximity to the wireless communication device, then the device remainsunlocked and access to applications is granted S876. The wirelesscommunication device continues to monitor the proximity while the deviceis in use S877. If the proximity security token is no longer inproximity to the wireless communication device, then the wirelesscommunication device is locked S875. The wireless communication deviceremains unlocked while the proximity security token remains inproximity.

For example, a user grabs their smartphone and proximity security tokenbefore heading out for the day. While the smartphone is not in use, theproximity security token may be in a low power mode, or sleep mode. Theuser activates the proximity security token by pressing a button on theproximity security token, bringing the proximity security token out ofsleep mode. The user then swipes a finger across a fingerprint scanneron the proximity security token. The smartphone determines that thebiometric entry matches that of the user and unlocks the smartphone.With the biometric match, the smartphone remains unlocked while in theproximity of the proximity security token.

Either the press of the button or the swiping of the finger may bringthe proximity security token into an active mode. According toembodiments of the present invention, the proximity security token mustbe present and active to unlock the smartphone and/or applications onthe smartphone.

In other exemplary embodiments of the present invention, the user sets alimited duration for the unlocked mode. Once unlocked, a timer in theproximity security token begins to count down for the duration. Afterthe duration expires, the user is required to re-authenticate by swipingthe user's finger once again. For example, the user may program thesmartphone to require authentication after every hour, after fiveminutes of non-use, etc.

In further exemplary embodiments of the present invention, anapplication may require a secondary authentication in order to process arequest. The user may utilize the proximity security token to input thesecondary authentication, such as a biometric of the user.

FIG. 8B shows a method of the present invention utilizing a proximitysecurity token for unlocking a device and application, according to anexemplary embodiment of the present invention. In this embodiment, theuser must first activate the proximity security token S870. This may beaccomplished by touching the proximity security token, pressing a buttonon the proximity security token, swiping a finger on an input of theproximity security token, etc. With the proximity security tokenactivated, a timer on the proximity security token starts S878. Thetimer lasts for a period of time in which the proximity security tokenis to remain active. This period of time may be set by the user, by amanufacturer, by a wireless communication device, etc. The methoddetermines whether the period of time has elapsed and the timer hasended S879. If the timer has ended, the user must activate the tokenagain S870. If the timer has not ended, the wireless communicationdevice and/or the proximity security token determines whether theproximity security token is in proximity of the wireless communicationdevice S874. If the proximity security token is not in proximity of thewireless communication device, the wireless communication device islocked S875. If the proximity security token is in proximity of thewireless communication device, the wireless communication device isunlocked S873. With the wireless communication device unlocked, thewireless communication device monitors the proximity of the proximitysecurity device S877. The user then attempts to access an application.The wireless communication device determines whether a secondaryauthentication is required to access the application S837. If secondaryauthentication is not required, access to the application is allowedS876. If secondary authentication is required, the user must swipe afinger on the proximity security token S871 or otherwise enter abiometric. The wireless communication device and/or the proximitysecurity token determines whether the user's biometric matches a storedbiometric for the user S872. If the user's biometric matches, access tothe application is allowed S876. If the user's biometric does not match,access to the application is blocked S838.

FIGS. 9A and 9B show proximity security tokens in the form of key fobswith an embedded input, according to embodiments of the presentinvention. The embedded inputs allow for a second level ofauthentication of a user, in addition to the proximity of the proximitysecurity token to a wireless communication device. Embedded inputs couldbe in many varying forms of icon usage such as numbers or symbols. InFIG. 9A, the input is a biometric sensor, such as a fingerprint scanner926 on proximity security token 920. In this embodiment, fingerprintscanner 926 is used as a secondary authentication. When a user swipes afinger across fingerprint scanner 926, an image of the fingerprint isoptically scanned. The image is then compared to a previously recordedimage in order to authorize the user. In this embodiment, the comparisonis accomplished by logic on board proximity security token 920.Proximity security token 920 is portable, sealed to be weatherproof, andattached to a keychain 930.

In FIG. 9B, the input is a keypad 928 on a proximity security token 920.Keypad 928 is used to enter a key or key sequence to furtherauthenticate a user. The key sequence is compared with a stored keysequence. A match confirms the user is an authorized user. In thisembodiment, the comparison is performed by logic on board proximitysecurity token 920.

In other exemplary embodiments, the fingerprint scanner or the keypad isused to energize or awaken the proximity security token from a low-poweror sleep mode. The comparison of a key sequence or fingerprint scan isalternatively accomplished by a wireless communication device beingunlocked. Proximity security token may be any shape or size, and may beergonomically and/or visually appealing.

FIG. 10 shows a proximity security token 1020 being used to unlock anautomobile 1042, according to an exemplary embodiment of the presentinvention. In this embodiment, automobile 1042 is unlocked and/or ableto be started due to the detection of proximity security token 1020.Automobile 1042 includes a central processing unit (CPU) 1044, a memory1046 containing an automobile logic 1047, and a transceiver 1048 inorder to determine a distance of proximity security token 1020. In thisembodiment, proximity security token 1020 is shown on a keychain 1030,such that it remains in the possession of a user. When the user inpossession of proximity security token 1020 walks within the proximityof automobile 1042, at a set distance, logic 1047 automatically unlocksautomobile 1042. In this embodiment, the engine of automobile 1042 alsostarts automatically due to the proximity of proximity security token1020. CPU 1044, transceiver 1048, and logic 1047 are used to determine adistance between automobile 1042 and proximity security token 1020. Atone detected distance, logic 1047 causes the door or doors to unlock. Atthe same distance or a second detected distance, logic 1047 causesautomobile 1042 to start.

In other embodiments, the automobile starts at a shorter distance thanthe unlocking of automobile 1042, such as when the user with proximitysecurity token 1020 is in the driver's seat of automobile 1042.Alternate embodiments allow the user to set distances for starting andunlocking. For instance, a user may desire the automobile to start at afurther distance, allowing the inner cabin of automobile 1042 to reach acomfortable climate. Another user may not want automobile 1042 to unlockuntil the user is right next to automobile 1042. In some embodiments,the user sets automobile 1042 to only unlock the driver's side door,while other embodiments enable a user to set automobile 1042 to unlockall the doors. In embodiments of the invention, after the doors ofautomobile 1042 have been opened due to the proximity of proximitysecurity token 1020, starting the ignition of automobile 1042 requires asecondary authentication with a biometric, code, etc.

FIG. 11 shows a method of utilizing a biometric sensor on a proximitysecurity token, according to an exemplary embodiment of the presentinvention. In this embodiment, a user makes an attempt to activate awireless communication device S1180, for example, a smartphone. Thisattempt is made by touching the screen, pressing a button, etc. Devicelogic on the wireless communication device determines whether theproximity security token, or key fob, is present S1181. This isaccomplished by invoking a transceiver to communicate with the proximitysecurity token, and determining a distance between the wirelesscommunication device and the proximity security token using the methodsdescribed herein. If the proximity security token is not present, thenthe wireless communication device remains locked and the user cannotaccess applications on the wireless communication device S1182. If theproximity security token is present, then the wireless communicationdevice is unlocked, allowing the user to access applications, makecalls, etc. S1183. With the wireless communication device unlocked, anattempt is made to conduct a transaction on the wireless communicationdevice S1184. This transaction may be a purchase, a download, an upload,an attempt to access an application or web service, etc. The devicelogic on the wireless communication device determines whether abiometric is required to conduct the transaction S1185. Thisdetermination may be made based upon rules stored within the devicelogic, requests for authentication from outside entities, requests froman independent operation such as a web service, etc. A requiredbiometric provides an extra layer of security for the transaction. If abiometric is not required for the transaction, then the transaction isallowed S1187. If a biometric is required, then the logic determineswhether an input biometric matches a stored biometric for an authorizeduser S1186. This logic could be performed either on the proximitysecurity token and/or the wireless communication device. This biometricmay be a fingerprint scan, an iris scan, a voice detection, etc., storedon either the proximity security token or the wireless communicationdevice. If the biometric matches the stored biometric, then thetransaction is allowed S1187. If the biometric does not match the storedbiometric, then the transaction fails S1188.

In further embodiments of the invention, a failed biometric locks theentire device, while in other embodiments other applications on thedevice may still be used. Instead of conducting a transaction, the sameprocess is used to access an application or database in otherembodiments. In other exemplary embodiments, the user may desire to usea smartphone to access a mobile banking application. The user unlocksthe smartphone by attempting to access the smartphone with the proximitysecurity token present. The user then attempts to access the mobilebanking application. This application requires a higher level ofsecurity than other applications, and the user's fingerprint isrequested on the proximity security token. The user scans theirfingerprint on the proximity security token. If the user's fingerprintmatches the authorized fingerprint for the application, then the user isable to access the mobile banking application.

Alternatively, the user accesses a bank's website over a mobile browserthat requires the user to log in using a username and password. The bankwebsite requires two-factor authentication and requests the smartphoneto authenticate the user's identity. The smartphone prompts the user toswipe the user's finger on the proximity security token. If thefingerprint matches, then the authentication succeeds and the user canaccess the bank website. In these embodiments, a fingerprint matchreleases a one-time password to the smartphone, which in turn submitsthe one-time password or other authentication credential orauthorization to the bank website to complete the authenticationprocess.

FIG. 12 shows a proximity security token 1220 used to authenticate atransaction, according to an exemplary embodiment of the presentinvention. In this embodiment, a wireless communication device 1200 isbeing used to make a payment to a register 1290, for instance, usingNear Field Communication (NFC). A user rings up an item at register 1290and proceeds to payment. An application on wireless communication device1200 first confirms that proximity security token 1220 is within a setproximity to wireless communication device 1200 to proceed with thepurchase process. In order to initiate a payment, the application makesa request to the user to provide authentication to proximity securitytoken 1220 with a fingerprint as a second factor for authentication ofthe user. Once proximity security token 1220 authorizes the fingerprint,wireless communication device 1200 sends the payment information toregister 1290 and the payment transaction is complete. Such atransaction uses a one-time password (OTP) token standard. In otherexemplary embodiments of the present invention, second-factorauthentication is only required when a payment amount is over aspecified amount or given some other user or system defined parameters.

In an alternative embodiment, the wireless communication deviceauthorizes the fingerprint or other biometric of the user. Credentialsfor the user are stored on the wireless communication device, such as inthe UICC, SIM card, or a memory of the wireless communication device.The proximity security token transmits a fingerprint template of thescanned fingerprint to the wireless communication device where thefingerprint template is verified with the credentials. Once the wirelesscommunication device verifies the fingerprint, the wirelesscommunication device sends the payment information to the register andthe payment transaction is complete.

The foregoing disclosure of the exemplary embodiments of the presentinvention has been presented for purposes of illustration anddescription. It is not intended to be exhaustive or to limit theinvention to the precise forms disclosed. Many variations andmodifications of the embodiments described herein will be apparent toone of ordinary skill in the art in light of the above disclosure. Thescope of the invention is to be defined only by the claims appendedhereto, and by their equivalents.

Further, in describing representative embodiments of the presentinvention, the specification may have presented the method and/orprocess of the present invention as a particular sequence of steps.However, to the extent that the method or process does not rely on theparticular order of steps set forth herein, the method or process shouldnot be limited to the particular sequence of steps described. As one ofordinary skill in the art would appreciate, other sequences of steps maybe possible. Therefore, the particular order of the steps set forth inthe specification should not be construed as limitations on the claims.In addition, the claims directed to the method and/or process of thepresent invention should not be limited to the performance of theirsteps in the order written, and one skilled in the art can readilyappreciate that the sequences may be varied and still remain within thespirit and scope of the present invention.

I claim:
 1. A device comprising: a processor; and a memory coupled tothe processor, the memory storing instructions that, when executed bythe processor, cause the processor to perform operations comprising:determining that a proximity security token is required to access anapplication, in response to determining that the proximity securitytoken is required to access the application, locking access to theapplication, in response to detecting an attempt to access theapplication, determining if the proximity security token is present,detecting a presence of the proximity security token by measuringsignals emitted by the proximity security token, determining if theproximity security token is within a predefined distance of the device,and in response to a determination that the proximity security token iswithin the predefined distance of the device, obtaining a uniqueidentifier from the proximity security token, and in response toobtaining the unique identifier, unlocking the application.
 2. Thedevice of claim 1, wherein the instructions, when executed by theprocessor, cause the processor to perform operations further comprising:determining if the proximity security token remains within thepredefined distance; and in response to a determination that theproximity security token does not remain within the predefined distance,locking the application.
 3. The device of claim 2, wherein theinstructions, when executed by the processor, cause the processor toperform operations further comprising: starting a timer for a set timeperiod upon locking the application; and determining, upon expiration ofthe timer, if the proximity security token is within the predefineddistance.
 4. The device of claim 3, wherein the instructions, whenexecuted by the processor, cause the processor to perform operationsfurther comprising: in response to determining that the proximitysecurity token is not within the predefined distance, wiping a portionof the memory.
 5. The device of claim 3, wherein the instructions, whenexecuted by the processor, cause the processor to perform operationsfurther comprising: in response to determining that the proximitysecurity token is not within the predefined distance, wiping the memory.6. The device of claim 1, further comprising a display, wherein theinstructions, when executed by the processor, causes the processor toperform operations further comprising displaying a plurality of securitysettings on the display.
 7. The device of claim 6, wherein the securitysettings comprise an option to wipe the memory after the set time periodand a further option for requiring biometric information.
 8. The deviceof claim 7, further comprising an input device, wherein the securitysettings are adjustable via the input device.
 9. The device of claim 1,further comprising a speaker, wherein the operations further compriseemitting a sound through the speaker upon detecting an absence of theproximity security token.
 10. A method comprising: determining, by adevice that executes a token logic, whether a proximity security tokenis required to access an application; in response to determining thatthe proximity security token is required to access the application,locking, by the device, access to the application; detecting, by thedevice, an attempt to access the application; in response to detectingthe attempt to access the application, determining, by the device, ifthe proximity security token is within a predefined distance of thedevice by measuring signals emitted by the proximity security token; inresponse to a determination that the proximity token is not within thepredefined distance, not unlocking the application; and in response to adetermination that the proximity token is within the predefined distancerequesting, by the device, a unique identifier from the proximitysecurity token, and in response to obtaining the unique identifier fromthe proximity security token, unlocking, by the device, the application.11. The method of claim 10, wherein the secure input comprises abiometric input.
 12. The method of claim 10, further comprisingrequiring the secure input to conduct a transaction.
 13. The method ofclaim 10, further comprising generating a one-time password.
 14. Themethod of claim 10, further comprising: determining if the proximitysecurity token remains within the predefined distance of the device; andin response to a determination that the proximity security token doesnot remain within the predefined distance of the device, locking theapplication.
 15. The method of claim 14, further comprising: starting atimer for a set time period upon locking the application; anddetermining, upon expiration of the timer, if the proximity securitytoken is within the predefined distance.
 16. The method of claim 15,further comprising: in response to determining that the proximitysecurity token is not within the predefined distance, wiping a portionof a memory of the device.
 17. The method of claim 15, furthercomprising: in response to determining that the proximity security tokenis not within the predefined distance, wiping a memory of the device.18. A method comprising: determining, by a mobile communications devicethat executes a token logic, that a proximity security token is requiredto access an application executed by the mobile communications device;in response to determining that the proximity security token is requiredto access the application, locking, by the mobile communications device,access to the application; detecting, by the mobile communicationsdevice, an attempt to access the application; in response to detectingthe attempt to access the application, determining, by the mobilecommunications device, if the proximity security token is within apredefined distance of the mobile communications device by measuringsignals emitted by the proximity security token; in response to adetermination that the proximity token is not within the predefineddistance, not unlocking the application; and in response to adetermination that the proximity token is within the predefined distancerequesting, by the mobile communications device, a unique identifierfrom the proximity security token, and in response to obtaining theunique identifier from the proximity security token, unlocking, by themobile communications device, the application.
 19. The method of claim18, further comprising: determining if the proximity security tokenremains within the predefined distance of the mobile communicationsdevice; in response to a determination that the proximity security tokendoes not remain within the predefined distance of the mobilecommunications device, locking the application; starting a timer for aset time period upon locking the application; and determining, uponexpiration of the timer, if the proximity security token is within thepredefined distance.
 20. The method of claim 19, further comprising: inresponse to determining that the proximity security token is not withinthe predefined distance, wiping a portion of a memory of the mobilecommunications device.